Skip to main content
Patch ManagementPatch Tuesday

November Patch Tuesday 2021 Addresses 55 Vulnerabilities

By November 10, 2021November 11th, 2022No Comments
|||

November Patch Tuesday 2021 Fixes 55 Flaws

November Patch Tuesday 2021 is officially here. See the latest Microsoft updates, vulnerabilities, and critical patches of the month.

Microsoft Releases November 2021 Patch Tuesday Fixes

There are 6 Critical (double than last month) and 49 Important fixes in this release. Updated were included Microsoft Windows and Windows components, 3D Viewer, Azure, Azure RTOS and Sphere, Microsoft Dynamics, Microsoft Office, and Visual Studio and Visual Studio Code and Windows 11 has its second security patch. 

Year 2 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month.  We are really close to the need to review for a third and final year of ESU if you are still using Windows 7 or 2008.

  1. Windows 7 – 1 Critical and 10 Important fixes
  2. Windows 2008 R2 – 1 Critical and 14 Important fixes

Robert Brown, Head of Customer Success for Syxsense said, “Overall, this year we have seen a massive drop in the number of fixes addressed by the Patch Tuesday security updates. This is most likely down to the extended support of the Windows 10 Feature Updates throughout 2021, however as Microsoft have launched another business operating system that number is likely to rise again.”

Our suggestion would be to choose which Operating System (10 vs. 11) your business will use for 2022 and stick with it. If your company policy is to stick with Windows 10, we recommend implementing such procedures to stop users from accidentally upgrading their device to Windows 11.

Top November 2021 Patches and Vulnerabilities

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend entering the CVE numbers below into your patch management solution and deploying as soon as possible. 

1. CVE-2021-3711: OpenSSL: SM2 Decryption Buffer Overflow

A malicious attacker who is able to present SM2 content for decryption to an application could cause the attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behavior or causing the application to crash.

This vulnerability was released before November but has been reviewed and rescored by NVD.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 9.8
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: No

Syxscore Risk

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: None
  • Scope (Jump Point): No

2. CVE-2021-26443: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

A remote code execution vulnerability exists when a VM guest fails to properly handle communication on a VMBus channel. To exploit the vulnerability, an authenticated attacker could send a specially crafted communication on the VMBus channel from the guest VM to the Host. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 9.0
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: No

Syxscore Risk

  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges: Low
  • User Interaction: None
  • Scope (Jump Point): Changed

3. CVE-2021-38666: Remote Desktop Client Remote Code Execution Vulnerability

An attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system and has been suggested by Microsoft this vulnerability is “More Likely” to be used in an attack.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 8.8
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: No

Syxscore Risk

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

Syxsense Recommendations

Based on the vendor severity and CVSS Score, we have made a few recommendations below which you should prioritize this month. Please pay close attention to any of these which are publicly aware or weaponized.

CVE Reference Description Vendor Severity CVSS Score Weaponised Publicly Aware Countermeasure Highest Priority
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 Yes No No Yes
CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 Yes No No Yes
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important 7.8 No Yes No Yes
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important 7.8 No Yes No Yes
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 No Yes No Yes
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 No Yes No Yes
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical 9.8 No No No Yes
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical 9 No No No Yes
CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.7 No No No Yes
CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No No Yes
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important 8.8 No No No Yes
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important 7.6 No No No
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2021-41356 Windows Denial of Service Vulnerability Important 7.5 No No No
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 7.4 No No No
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No No
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important 6.8 No No No
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important 6.7 No No No
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No No
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No No
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No No
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No No
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No No
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important 6.1 No No No
CVE-2021-42300 Azure Sphere Tampering Vulnerability Important 6 No No No
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No No
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important 5.5 No No No
CVE-2021-41373 FS Logix Information Disclosure Vulnerability Important 5.5 No No No
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important 5.5 No No No
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important 5.5 No No No
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important 4.7 No No No
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No No
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important 4.3 No No No
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No No
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No No
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No No
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important 2.3 No No No

Experience the Power of Syxsense

Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Leave a Reply